https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/118495#M16781 <P>Hi<BR /><BR />I have rule set up via DLP,&nbsp; to prevent certain data to leave via mail. The rule indeed works as it should.<BR /><BR />Since there are false positives possible - i have "ask user" enabled in order to let the user evaluate,<BR />I need to monitor all the events, in which the user has decided to "send anyway",<BR />I cant seem to find the relevant log "trigger" to display only dlp incidents where users found the warning to be irrelevant.<BR /><BR />Any hints, ideas or down right solutions to my need?<BR /><BR />regards<BR /><BR />Peter</P> Mon, 17 May 2021 08:40:46 GMT Peter_Bjeldbak 2021-05-17T08:40:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/118495#M16781 <P>Hi<BR /><BR />I have rule set up via DLP,&nbsp; to prevent certain data to leave via mail. The rule indeed works as it should.<BR /><BR />Since there are false positives possible - i have "ask user" enabled in order to let the user evaluate,<BR />I need to monitor all the events, in which the user has decided to "send anyway",<BR />I cant seem to find the relevant log "trigger" to display only dlp incidents where users found the warning to be irrelevant.<BR /><BR />Any hints, ideas or down right solutions to my need?<BR /><BR />regards<BR /><BR />Peter</P> Mon, 17 May 2021 08:40:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/118495#M16781 Peter_Bjeldbak 2021-05-17T08:40:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/118504#M16782 <P>Custom action for logs (alert) for this rule, and/or specific filters for DLP logs/events</P> Mon, 17 May 2021 09:45:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/118504#M16782 _Val_ 2021-05-17T09:45:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/118534#M16787 <P>Hi - and thx for the reply.&nbsp; The log option is the on i am most keen on - but my problem is, simply put, i cant find the field/value which indicates the user response "send anyway" to the "ask user"<BR /><BR />I would like to have the log show ONLY those who have received the choise (those who have sent questionable materiel) AND have chosen to "send&nbsp; anyway"<BR /><BR />I have done tests and checked the log subsequently&nbsp; - to no avail <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /><BR /><BR /></P> Mon, 17 May 2021 13:21:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/118534#M16787 Peter_Bjeldbak 2021-05-17T13:21:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/119215#M16867 <P>The end user generally has to provide a reason, which I imagine would go in the logs.<BR />If you open up a log card on an event, do you see this reason?<BR />If so, that would be the log field to trigger on.</P> Mon, 24 May 2021 03:45:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/119215#M16867 PhoneBoy 2021-05-24T03:45:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/119279#M16877 <P>Thank you for the reply.</P><P>As to log entry to use for sorting out certain answers - Unfortunatly not - i can´t seem to find any indication in the log indicating the users choice.&nbsp;&nbsp;<BR /><BR />I have tried looking at the dlp log upon the time of the user reply to see what gives - to no avail <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /><BR />What pussles me is that a premade log option would be logical at the get go&nbsp; - after all - you would want to to able find all users who desides to override the warning.<BR /><BR /></P> Tue, 25 May 2021 06:12:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/119279#M16877 Peter_Bjeldbak 2021-05-25T06:12:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/119285#M16878 <P>My desires have been met - i did find the solution and I am sorry to say - right in front of me.<BR /><BR />Turns out there actually is a field - which can be&nbsp;<SPAN>Utilised - however i need to use SmartView rather than the log ind smartconsole.<BR /><BR />The field "UserCheck response" fits like a glove (i feel stupid not finding this first time around)<BR /><BR />Anyway - call of the dogs <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR /></SPAN></P> Tue, 25 May 2021 06:57:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DLP-how-to-determine-user-action-upon-quot-ask-user-quot/m-p/119285#M16878 Peter_Bjeldbak 2021-05-25T06:57:13Z